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Abstract 

Several kinds of qubit-string-based(QS-based) bit commitment protocols are 
presented, and a definition of information-theoretic concealing is given. All 
the protocols presented here are proved to be secure under this definition. 
We suggest an attack algorithm to obtain the local unitary transformation 
introduced in no-go theorem, which is used to attack the binding condition, 
then study the security of our QS-based bit commitment protocols under this 
attack via introducing a new concept "physical security of protocol". At last 
we present a practical QS-based bit commitment scheme against channel loss 
and error. 



1. Introduction 

Research on quantum cryptography may be traced back to about 40 years 
ago. Soon after Wiesner's work published [lj, Bennett and Brassard proposed 
two quantum cryptographical protocols in their original paper jsjj: quantum 
key distribution (QKD) and quantum coin tossing. Though QKD had been 
proved unconditionally secure 0, 0, 0, @, Q, 0, @| and applied in practice, 
the quantum bit commitment (QBC) developed from quantum coin tossing 
has been proved impossible [12[ |l3j. A generally accepted QBC scheme was 
presented by Brassard, Crepeau, Jozsa and Langlois in 1993 |l0j, but its 



Later, the 



unconditional security was shown to be impossible in 1996 jll] 
idea in [U] was developed by Mayers [12| and Lo-Chau [13j independently 
and resulted in no-go theorem of QBC. It is shown that any kind of interactive 



protocol of QBC is also impossible [14 



Although facing such clearly negative results, some authors still keep on 
exploring the unconditionally secure QBC which cannot be covered by the 
no-go theorem, or proving that the no-go theorem does not hold in some 
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case. For example, Kent constructed a weaken scheme called quantum bit 
string commitment [l5[, and then the concept of cheat-sensitive quantum 



bit commitment is presented by Hardy and Kent [17|. These results were 



developed by Buhrman et al. 18]. Yuen believes that there generally exists 



unconditionally secure QBC protocols [161 ]. though his results have not been 
generally accepted yet. 

In this paper, we show that the security of qubit-string-based (QS-based) 
bit commitment using the length of string as safe parameter is better than 
classical bit commitment, and it is possible to use QS-based bit commitment 
as a practical scheme. The paper is organized as follows: in Secj2]some pre- 
liminaries are given; in SecJ2]we give the concept of information-theoretically 
concealing for quantum bit commitment; in Sec Jlfofol three kinds of QS- 
based bit commitment protocols are presented and proved to be information- 
theoretically concealing; in SecJ7J four other kinds of QS-based protocols are 
discussed; finally in SecJH we show how to construct practical QS-based 
protocols against channel loss and error. 

2. Preliminaries 

We relate here the concepts of classical bit commitment and n^-order 
correlation immune Boolean functions, and describe a concrete form of EPR- 



attack suggested by the no-go theorem [13( , assuming that readers are famil- 
iar with the concepts of Boolean function and the content of no-go theorem 
of QBC. 

2.1. Bit commitment 

A bit commitment protocol includes two phases. In the commit phase, 
Alice determines a bit (6=0 or 1) and sends to Bob a piece of evidence. Later 
in the open phase, Alice opens the value of b and some information of the 
evidence, and Bob checks whether Alice lies or not. A secure bit commitment 
needs two properties: binding and concealing. Binding means Alice cannot 
unveil 1 — 6 without being detected after giving the evidence; concealing 
means Bob cannot get the value of b before Alice unveils it. It can be proven 
that no classical bit commitment can satisfy both statistically concealing and 
statistically binding simultaneously. 

After quantum cryptography being put forward, people desire to realize 
unconditionally secure QBC with quantum physics. Unfortunately, the no- 



go theorem of QBC [12l . Il3l ] says there cannot be unconditionally secure 



2 



QBC protocol, only unconditionally concealing or binding protocols can be 
constructed. 



2.2. t^q -Order Correlation Immune Boolean Functions 

Definition 1. Let random binary variables x±, x-i, ■ ■ ■ , x n be independent and 
uniformly distributed. Then a Boolean function f(xi, . . . , x n ) : GF n (2) — > 
GF(2) is called -order correlation immune Boolean function if for every 
subset {ii, . . . , i no } C {1,2, ... ,n}, random variable z = f(x±, . . . , x n ) is 
statistically independent of variable (x^ , . . . , Xi nQ ) . 

2.3. EPR-attack given in no-go theorem 

At the commitment phase of a QBC scheme, the committer Alice chooses 
commitment value b towards the receiver Bob. For a cheating Alice, she can 



do as follows 131: 



1. Alice prepares a state |6) without committing any values and sends the 
register B to Bob, 

\6) = J2^)a®\4 0) )b, (i) 

i 

where (ei\ej) = 5ij, but the normalized states )b conform a set of 
nonorthogonal states. 

2. At the open phase, if Alice decides to commit 0, she makes a measure- 
ment on the register A and gets the value of i, then sends i to Bob, 
and declares as her commitment value. 

3. if Alice decides to commit 1, she makes a local unitary operation Ua 
on the register A which satisfies: 

{l\{U A ®I)p) = F(Tr A |6)(6|,Tr A |i)(l|) = 1-6, (2) 

where 

|i) = E^l e ^®l^ (1) )^- ( 3 ) 

i 

Because the state (Ua <8> -01 6) is almost the same as the state |1), she can 
do as if she has sent the state|l): she makes a measurement on the register 
A and gets the value of i, and then tells Bob that she has committed the 
value 1 and sends i to Bob. It can be seen that this attack strategy will be 
successful with probability 1 — 5 with a small 5. 
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3. Information-theoretic security 

In classical cryptography, the information-theoretic security is suggested 
by O. Goldrich (3 as follows: 

Definition 2. A private key encryption is information-theoretically indis- 
tinguishable if for every circuit family {C n }, every positive polynomial p(-) , 
all sufficiently large n 's, and every x, y in plaintext space: 

Pr[C n (E G(ln) (x)) = 1] - Pr[C n (E G(ln) (y)) = 1] < -L (4) 



p(n) 



where G is a key generation algorithm. 



We suggest here a definition of information-theoretically concealing for 
quantum bit commitment protocol as follows: 

Definition 3. A quantum bit commitment protocol is information-theoretically 
concealing if for every quantum circuit family {C n }, every positive polynomial 
p(-), all sufficiently large n's, and every x, y G {0, 1}: 

Pr[C n (E G{ln) (x)) = 1] - Pi[C n (E G{ln) ( y )) = 1]| < _L ( 5 ) 

where the encryption algorithm E should be a quantum algorithm. 

According to this definition, we can get the following theorem of conceal- 
ing condition: 

Theorem 1. Let the density operators of quantum state Bob receives be po 
and p\, a QBC protocol is said to be information-theoretically concealing if 
for every positive polynomial p(-) and every sufficiently large n, 

D(p , Pl )<-}-. (6) 

Proof. Define So as a set containing all the states Bob could receive when 
Alice commits 0. For every quantum circuit family {C n }, 

Pr[C n (S G(1 n ) (0)) = 1] 

= J2 Pi -PT[CM®a) = l] 

= Pr[C n (^p iP l ®<7) = l] 

= Pr[C f n ( A) (g»(7) = l], (7) 



4 



where a is the density operator of service bits of C n . 
Similarly, 

Pr[C ft (£ G(1 »)(l)) = 1] = Pr[C n ( Pl ®a) = 1]. (8) 

Any quantum circuit family C n built for distinguishing two density opera- 
tors corresponds to a set of positive operator-values measure (POVM) {E m }. 
Define p m = Tr(C n (po ® a)E m ), q m = Tr(C„(pi <8> cr)E m ) the probabilities of 
measurement outcomes labeled by m. In this case, we have: 

Pr[C n (p ® <t) = 1] - Pr[C n ( Pl ® <r) = 1] 
< max - |Tr[E m (C n (p ® <r) - C n { Pl g> a))] 

m 

= maxD(j) m ,g m ). (9) 

{Em} 

The last formula is equal to 

D(C n (po <g> or), C n ( Pl ® a)) < D(p ® or, Pl ® a) = L>(p , pi) < — (10) 

Hence, according to the Definition [3J the theorem follows. □ 
To those QS-based protocols described in this paper, the safe parameter 
n is the length of qubit string used in protocols. 

4. QS-based bit commitment based on coding of two non-orthogonal 

states HT 



4-1. The scheme 

Let j^o) and IV'i) be two non-orthogonal states, F(-) is an rip -order cor- 
relation immune Boolean function. The protocol is as follows: 

Protocol 1. 



,m, a w 



1. Alice makes a commitment b G {0, 1}. 

2. Alice chooses ay' G {0, l} n randomly, here i = 1,2, 
(di , C&2 , • • • , On ) satisfies F(a^) = b. 

3. Alice prepares mxn qubits in state \4> a m) • • ■ \i> a w) I^V 2 )) ' ' ' IV^C 2 )) 

IV' ("»)) • • • 1^ (to)) ? anc ^ sends to Bob as a piece of evidence for her 
commitment. 
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4. Alice opens by declaring b and the values of a^> . 

5. Bob checks states of qubits by corresponding projective measurements: if 
Oj = 0, Bob measures the (nxj—n+i) t h qubit with basis {\ipo), \' l l J o) ± }i 
else with basis \i>i)~ L }- unless each results is matched, Bob has to 
break off the scheme. 

6. Bob checks commitment value b. If a® satisfies b = F(a^') for every 
i, Bob accepts the commitment value. □ 

4-2. The concealing condition 

When n = n — 1, n^-order correlation immune Boolean function is the 
parity function 



F(a {l) ) = a>l ! © a%' © • • • © a. 



,0 



Suppose density operator represents the state Bob receives when Alice 
commits b. As assumed, Alice sends each \ip a a))— \ip a w) • • • I^C 1 )} according 
to a uniform probability distribution, then 



Pb 



(n) 



(12) 



Lemma 2. The protocol^ is information-theoretically concealing. 
Proof. Let a be the angle between \ip ) an d 



The quantum states and p y { 1 ' satisfy [20|, [22 



(n) 



(n) 

Po 



(n) 
Pi 



2 x 







sm^J cos^f 



sm^ J COS l2- 



<g>n 



(13) 



then we have 



(n) 



2 



(n) (n) 
Po - Pi 



sin a) 



(14) 



The parity function is usually used m times in a scheme. We denote the 
density operator of these m x n qubits as pQ and p^' m \ By using the 



triangle inequality of trace distance and \A <S> B\ 
that 

D{p^' m \ Pi' m ') < m x (sin a) 



LA © LB , we can show 



(15) 
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It can be seen that for every given m, every positive polynomial p(-) and 
every sufficiently large n, 



j-^/ (n,m) (n,m)\ 1 nr\ 

D (po >i )<^y ( 16 ) 

holds. According to Theorem 1, this lemma is proved. □ 
Our proof of inequality ffl6l) is valid only if parity function is used. We 
conjecture that if we use other n^-order correlation immune Boolean func- 
tions to construct schemes, it may also satisfy inequality (fT6|) . 



4-3. The Binding Condition 

The Mayers-Lo-Chau no-go theorem shows that while the bit commitment 
protocol is concealing, it can not be binding. Here we first show a concept of 
physical security of protocol, which means that the physical resource required 
in the breaking of a cryptosystem is beyond that of human beings given by the 
nature. Note that there is no protocol can achieve Shannon's computation 
security, the concept of physical security of protocol provides a way to reach 
Shannon's computation security. 

In the Appendix A, we show a method to achieve the attack to the 
binding condition. Under such idea the attack algorithm's time complexity 
is 0(2 3n ), besides this algorithm needs at least 0(2 2n ) size of memory space to 
store the matrix. While n = 100 the entry number of matrix Ua is 2 100 x 2 100 , 
this number is greater than the number of atoms of the earth(approximately 
10 50 ). It means that human beings cannot get the matrix actually, the attack 
strategy suggested in no-go theorem cannot be realized in this case forever, 
and our scheme may be physically secure on the binding side, if there is no 
efficient algorithm can help to find the local unitary transformation. 

It has been proved that the security of classical bit commitment is at 
most statistically secure on one hand and computationally secure on the other 
hand, then the QS-based bit commitment with information-theoretically con- 
cealing and physically binding is a meaningful improvement if there is no ef- 
ficient algorithm can help to find the local unitary transformation. However, 
whether the efficient algorithm exists is still an open problem. 

Note that the parameter m increases the trace distance between the den- 
sity operators of the evidence for commit and 1, it is used to resist another 
attack scheme toward binding condition. Every a" satisfies F{oS % ^) = can 
become satisfying F(a^) = 1 with one bit of change, and if Bob measures 
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\ipj) with basis (iV'(i-i))) ^(l-i))" 1 }) h takes probability | that he accepts 
the result, therefore without m Alice can cheat with a fifty-fifty chance of 
success, else she can cheat successfully only with a little probability (|) m . 
That is the reason why we add the parameter m. 

5. QS-based bit commitment based on conjugate coding|23] 

5.1. The scheme 

Let |0) = |0>, |1) = |1>, |0>! = |+>, |l) a = |-), F(-) is an reorder 
correlation immune Boolean function. The protocol is as follows: 

Protocol 2. 

1. Alice makes a commitment b G {0, 1}. 

2. Alice chooses a® E {0, l} n randomly, here i = 1,2, ... ,m, a® = 
(a!i\ a\ ; , . . . , On) satisfies F(a^) = b; and chooses &W g {o, l} n ran- 
domly, here i — 1, 2, . . . , m, £>W = (pi , b% , ■ ■ ■ , bn )■ 

3. Alice prepares mxn qubits in state \a^ },(i) ■ ■ • Ian |«i )l(2) • • • lal ),(2) 

and sends to Bob as a piece of evidence for 

/ier commitment. 

4. yl/«ce opens by declaring b and the values of and few. 

5. i?o6 checks states of qubits by corresponding projective measurements: 
ifbj = 0, Bob measures with basis {|0), e/se with basis {|+), | — )}. 

6. Bob checks value b. If a® satisfies b = F(a^) for every i, Bob accepts 
the value. □ 

5.2. The Concealing Condition 

Consider F(-) is a parity function given in Eq.flUJ). Define a[ n) the den- 
sity operator of the state Bob receives when Alice commits b. Alice sends 
l a ^)bW = \ a i )h(. i )'"\ a n l ) h (.i), here aW satisfies F(a^) = b. For a uniform 
probability distribution we have 

^ = ^=tE £ l« W >.»<«. W l- (") 

&(«) F(a«)=& 

Now we define two trace-preserving quantum operations £i and £2- 



8 



Suppose Uf n is the operation element for S±, and {E{\ is a set of operation 

4 

elements for £ 2 , here 

Ei = W = ^H h ®---®H in , (18) 

for i G {0, l} n . Us. is a rotation operator, H° is the unit operator, and H l is 
the Hadamard operator. 
Notice that 

WflO); = |z), eJ , (19) 

here i,j G {0, l} n , and while a = \ we have 

Pi n) = ^l E l°>aW<0|. (20) 

F(a«)=b 

Then we can get 

2 n 

= E E ^T^(^)^|0) aW (0|((^ f )^)t(^)t 

J=l F(a(*))=6 
2 n 

= ^rrE E l« ( °W« W l> (21) 

3=1 F(aW)=6 

Let 6 W = aW © j, so 

S 2 oS 1 {pt ) ) = at l) . (22) 
Trace-preserving quantum operations are contractive, thus 

D(4 n \a[ n) ) = D(£ 2 o£ 1 {f^),£ 2 oS 1 {p^)) 

< DifJMJP), (23) 
according to Eq. (|14|) . we have 

D{a<T\ai n) )<{sm^r (24) 
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Lemma 3. The protocol^ is information-theoretically concealing. 

Proof. As the n-variable parity function is reused m times in our scheme, 
the two density operators of Bob's m x n qubits states are a^' m ^ and o^' . 
By using the triangle inequality of trace distance and \A C§) B\ = \A\ (g) \B\, 
We can show that 

D{4 n ' m \ a[ n ' m) ) <mx (sin ^) n . (25) 

It can be seen that for every given m, every positive polynomial p(-) and 
every sufficiently large n, 

D(aj?' m \a^ m) ) < -L (26) 
p(n) 

holds. Hence the lemma follows. □ 
We conjecture that if we use other riQ h -order correlation immune Boolean 
functions instead of parity function to construct the scheme, it may satisfy 
the same inequality (1251) . 



5.3. The Binding Condition 

It can be seen that the algorithm to solve Ua in this case is also with 
0(2 3n ) time complexity and at least 0(2 2n ) space complexity, then the bind- 
ing condition of the protocol [2] is the same as the protocol [TJ 

6. QS-based bit commitment with referential bits 

6.1. The scheme 
Protocol 3. 

1. Alice makes a commitment b G {0, 1}. 

2. Alice chooses a®, and e {0, 1}" randomly, here i — 1, 2 • • • , m, 

satisfies F(a^) = b. 

3. Alice prepares mx2n qubits instate |aW) 6 (i)|c^^} 6 (i) ■ ■ • \a (jnS> ) b ( m )\c {jn ' ) ) b ( m ) , 
and sends to Bob with the values of published as a piece of evidence 
for her commitment. 

4. Alice opens by declaring b and the values of a™ and . 
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5. Bob checks states of qubits by corresponding projective measurements 
based on W 1 ' as the same as that of the protocol d. Here he verifies 
two sets of data: first, the cW published before should accord with the 
measurement values; second, a® should satisfies b = F(a^) for every 
i. If so, Bob accepts the commitment. □ 

6.2. The Concealing Condition 

Also consider F(-) is a parity function given in Eq. (jlip . For a uniform 
probability distribution, while the the is published, the density operator 
for every i is 

^ (n) (c (i) ) = ^ziE £ (l« (4) )^)(« W l®|c W ) 6 «(c«|), (27) 

&(*) F(oW)=6 



then the trace distance between Tg (c^O) and rj (c^) is 
D(r ( "»(c (i, ),r 1 ( " , (c (i >)) 



4^ 

2 2n 



|0)o(0| ® |c«) (cf |-|1> <1|®|^>o< C W| + 



(0\ /JO i 



+|0) 1 (0|«)|4 i) ) 1 (cf |-|1)iUI®|cHi<c 



(0\ /JO 



Let 



^(i) = |0) (0| ® \i) (i\ - |1) (1| ® |i)o(i| + 
+|0) 1 (0|®|i) 1 (z|-|l) 1 (l|®|i) 1 (i|, 

then we can rewrite the trace distance as 



3=1 



3=1 



(28) 



(29) 



(30) 



Remark 1. This direct product decomposition can be also used to solve the 
trace distance D(p$ , Pi) and D(ctq \o~i ) of the first two protocols. We 
give that: 

P^-pS n) = ^T(l^o)^o|-|^)(^ir; (31) 



(n) (n) 



^ (|0> <0| - |1) <1| + lo)!^! - |l>i<l|) w . 



'0 u l - 2 2n- 

In this way the trace distances can result in exact values. 



(32) 
□ 
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The matrix expressions of #(cf) are shown as: 



tf(O) 





1 


1/2 


1/2 







1/2 


1/2 




1/2 1/2 


-1 







1/2 1/2 














1/2 


-1/2 





1 - 


1/2 


1/2 


1/2 


-1/2 








1/2 


1/2 





-1 



They have the same eigenpolynomial as: 

A 4 -2A 2 + i 
4 

then we can have: 

Tr |tf(0)| = Tr |0(1)| = 2y/3, 
so we get the value of the trace distance: 

D{^\S)A n \^)) = {^-)\ 

it holds for every i and 

As the density operator for Bob while Alice commits b is shown as: 



(33) 



(34) 



(35) 



(36) 



(37) 



T, 



(n,m) 



r (") (c « : 



i=l 

.(n,m) j (n,m) 



(38) 



The trace distance between Tq ' and r x ' is easily given out: 



D{rt' m \A n ' m) )<mx 



V3\ 



(39) 



which means 



D(^ n,m) ,r 1 (n ' TO) ) < 



p(n) 



(40) 



can be held for every given m, every positive polynomial p(-) and every 
sufficiently large n. Based on the Theorem [TJ we know that this protocol is 
information-theoretically concealing. 
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6.3. The Binding Condition 

It is the same as the above protocols. 



7. Other protocols 

Besides three protocols described above, we can also construct other QS- 
based bit commitment protocols. There are four examples. 

7.1. Scheme using both variable states and function value states 
Protocol 4. 

1. Alice chooses a commitment value b 6 {0, 1}. 

2. Alice chooses x G {0, l} n randomly. 

3. Alice prepares states 10)^10)^, y = fb{x), then Alice sends the state to 
Bob as a piece of evidence for her commitment. Functions /o(-))/i(") 
are known by both of them. 

4. Alice opens by declaring b and the values of x, Bob checks the received 
states of qubits. 

5. Bob accepts the commitment if y is equal to fb(x). □ 

If we use only function value state \0) y to commit, Alice can easily cheat 
via finding a collision. Then we use both variable states and function value 
states to commit. If Alice plans to cheat, she needs to prepare the state in 
Bob's hand remotely. According to the no-go theorem, she can prepare an 
entangled state 



The concealing condition of this protocol is not easy to satisfy. We must 
guarantee that there is no simple correlation between variable bit and func- 
tion value bit. It can be seen that permutation cannot be used in this pro- 
tocol. 

7.2. Scheme using basis string 

In the protocol El we use four states to encode the evidence state without 
opening the basis of qubits. In fact, we can also encode the basis string of 
qubits while opening the string of qubits itself. Here we present a protocol 
follows this idea. 




(41) 



X 
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Protocol 5. 



1. Alice chooses a commitment value b G {0, 1}. 

2. Alice chooses aS % > ,w- l > G {0,l} n ,i = 1,2, ... ,m randomly, &W) satisfy 
F(6W) = 6. 

3. y4/ice prepares mxn qubits in state |aW) 6 (i) • • • (a^^bCm) and sends them 
to Bob as a piece of evidence for her commitment. 

4. sends the values of a® within commit phase. 

5. In open phase, Alice unveils the values ofb and b^ . 

6. Bob checks each qubit via projective measurements as above. 

7. Bob accepts the commitment value ifb® satisfies b = F(b^) for every 
i. □ 

It is worth to mention that we can get from the qubit |aj ) 6 («) and b^\ 

but we cannot get the value of from the qubit and a$ with probability 1. 
Based on this property Alice can open before open phase, and the binding 
condition is still guaranteed with the aid of correlation immune Boolean 
function. 

Note that if af = for every this protocol becomes the same as the 
protocol [TJ 

7.3. Scheme using relative phase 

Besides using basis, we can also use a relative phase to commit. 

Protocol 6. 

1. Alice chooses a commitment value b G {0, 1}, and chooses randomly 
x, e G {0, l} n satisfying (0, 0, • • • , 0). 

2. Alice prepares state \x) + (— l) b \x © e) and sends the state to Bob. 

3. Alice opens the values of e and b. 

4. Bob chooses randomly one nonzero bit of e, and uses the corresponding 
qubit as control qubit to do CNOT operation to qubits corresponding to 
other nonzero bits of e. After these Bob checks state of the control qubit 
by measuring it with basis {|+), |— )}. He accepts the commitment, if 
the result is b. □ 



14 



Define 

» _ 

2«f2™ - U < 

» » 



It can be proved that D{p^ \ p\ ) < -J^. Therefore, Alice can prepare the 
following state if she wants to attack: 

^2^\x,e) A ^(\x) + \x®e)) B . (43) 

x,e 

7.4- An interactive scheme 

Let Fi, Fi • • • Ffc be k sets of Boolean functions, the domain of the function 
in Fi is {o,l}™i+" 2 +-+ ra \ 

Protocol 7. 

1. Bob chooses randomly fij G F\ and sends it to Alice. 

2. Alice chooses a commitment value b G {0, 1} and chooses randomly 
aW,feW G {0, l} ni satisfying ^(a* 1 ') = 6. sends \a^) bW to Bob. 

3. Bob chooses randomly G Fi and sends it to Alice. 

4. Alice chooses randomly a^, G {0, l} Hi satisfy fij (a^\ a^ 2 \ ■ ■ ■ , a^) = 
6, and sends \a^) b (i) to Bob. 

5. Repeat steps 3 and 4 with i = 2, • • • ,i , here io is chosen by Bob for 
each execution of the protocols. 

6. Alice opens b and all the states she has sent. 

7. Bob checks the states. 

8. Bob verifies that the output of every function he chose is b, and accepts 
the commitment. □ 

In this protocol, if Alice wants to attack with the attack of the no-go 
theorem, she has to take into account all possible replies of Bob before the 
execution of the protocol, and prepares a state as follows: 

E E (V (1 V)®E E d« (2 V® ))■ (44) 

h,bW f ln ( a W)=0 \ j 2 ,6(2) f 2j2 (am,aW)=0 / 

In other protocols, Alice can prepare the state for each i = 1, 2, • • • , m 
separately, but in this protocol, it is entangled for i — 1, 2, • • • , m. It seems 
more complex than that of other protocols, but can be prepared efficiently 
still. 
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8. Practical scheme against channel loss and error 

The protocols described above will be much useful if we can transform 
them into practical ones. Here we present a way to realize this goal by using 
error correcting code (ECC). 

Channel loss 

One may think that the protocols proposed are already secure against 
channel loss, this opinion is based on such a consideration: Alice does not 
know which qubits are lost, then she cannot cheat via a different opening of 
these qubits successfully all the time. Bob can simply verify the consistency 
of his measurement results and the values Alice opened to decide whether to 
accept the commitment value. 

In fact, a problem exists in every QS-based protocol executed over a lossy 
channel is that Alice can always attack with a low loss channel: she keeps 
several qubits in hand and sends the rest with a low loss channel, then she 
can cheat via opening these qubits with different values and Bob cannot de- 
tect this attack at all. 

Channel error 

In this situation the QS-based protocol without additional design cannot 
be operated properly, since the inconsistency between the opened informa- 
tion and the measurement results can be owed to either channel errors or 
Alice's cheating. 

The solution 

Generally speaking, channel loss can be regarded as a kind of channel 
error, because a disappeared qubit can always be regarded as an error qubit 
in state |0). Therefore, if a QS-based bit commitment protocol is one against 
channel error, we treat it as one against channel loss. 

Next we construct a protocol based on ECC. In order to keep concealing, 
we should build the ECC C as follows: 

Suppose (x?) matrix G and 77 x (77 — £) matrix H are generator matrix 
and check matrix of an ECC C\ with error correcting ability t, and there is 
one row of H whose every entry is " 1" . It can be shown that any 2t rows of 
this matrix are linear independent. 

Let (77 — 1) x (77 — ^) matrix H' has every row of H except that with 
all "1" entries. Define C by a generator matrix x^-i) = (H') T , here 
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requiring r] — £ is a factor of n. Then the check matrix of C is i?^_i) x (^-i), 
and the n-qubit string is encoded into £-qubit string, here ( = x (£ — 1). 
Generally speaking, it is difficult to get the optimal check matrix from a 
generator matrix since this problem is related with the NP-complete problem 
of finding the decode algorithm of a general linear ECC. However, we can 
get the H efficiently for given parameters 77, £. 

The above method leads to that the values of any It — 1 bits of each 
codeword of C are independent statistically from the commitment value. As 
a result, the probability of Bob's getting the parity bit with an (77 — l)-qubit 
string is less than 



p(i) 

fmax 



Y, C UP l s( l -PsT- 1 -\ (45) 



=2t 



where p s denotes the probability of Bob getting one qubit's value correctly, 
which is related to the probability of distinguishing two nonorthogonal states 
and of channel error rate. Then the probability of Bob's getting the commit- 
ment value with an £-qubit string is less than 

2W = (p£L)^- (46) 

As the number of C-qubit-strings involved in a protocol is m, the proba- 
bility of Bob's getting the commitment value is less than 

Pmax 1 (1 Pmax^) • (47) 

Assume the probability of channel error is p ce , for any QS-based protocol 
with n t h evidences, the worst situation is that Alice has a super channel with 
no channel error and then she can open with some values changed which are 
chosen by her. If the changes Bob found are less than nxp ce , Alice can cheat 
successfully. However we show that the encoding with suitable ECC C can 
help Bob resist Alice's attack and benefits the binding condition. 

Let the error correcting ability of C is t', it satisfies 

t' > (£ - 1) x Pce . (48) 

Assume each change of value by Alice should be found out by Bob with 
probability p cv (it should be \ in most cases), then we just need 

(f + 1) x — - xp cv > nx p ce . (49) 
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This means if the expanded protocol with ECC satisfies 

t'>( V -C)x—-l, (50) 

Pcv 

every time Alice cheat with value changes, the number of error Bob found 
will be more than it should be. Therefore the protocol can resist the super 
channel attack by Alice. 

However, this method leads to redundant information, which is disad- 
vantageous to the concealing condition. We need the protocol satisfies the 
Theorem [TJ 

Take the protocol [2] for an example. Assume m — 1, then the extended 
protocol is shown as follows: 

Protocol 8. 

1. Alice makes a commitment b G {0, 1}. 

2. Alice chooses a = (ai, a 2 . . . , a n ) G {0, l} n randomly. Then she uses 
ECC C to code a and gets c 1 = (c\, ■ ■ ■ , c^Lj, • • ■ , = (c±~ s , • ■ ■ , c2zt ) 

71 

3. Alice chooses b\, ■ ■ ■ , b^Z\ G {0, 1} randomly, prepares ( qubits in state 

n 

\c\) b i ■ ■ ■ |c|~i ) « and sends to Bob as a piece of evidence for her com- 
mitment. 

4. Alice opens by declaring b and the values of a, a? and bf. 

5. Bob checks states of qubits by corresponding projective measurements: 
ifb\ = 0, Bob measures with basis {|0), |1)} ; else with basis {|+), | — }}. 
Bob decode the result of measurement with C , the error probability 
should less than p ce and the message should be a. 

6. Bob checks value b = F(a). □ 

Assume q, is the density operator of quantum state Bob receives before 
open phase while Alice commits b, it should contain the channel error. Let 
the decoding process of C be C, so we get 



n 

F(C>{c 1 ),---,C>{c~^))=b 

they should satisfy that 



<g>® 1^(41 (51) 
\j=i i=i 



DM<^y (52) 
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9. Discussion 

Our analysis of security above is for the situation that only one of Alice 
and Bob is dishonest. 

It can be seen that the QS-based QBC protocols have a common weak- 
ness: the security of binding would not be guaranteed in a practical case 
with channel loss or error. We solve this problem for the first time via trans- 
forming QS-based protocols into ones with error correction coding. Both 
bounded channel loss and error can be solved in this way, since we can take 
channel loss as a special channel error and operate against it with error- 
correction-code(ECC). Only the conditions for the QBC protocols based on 
parity function have been given explicitly. How to transform general QBC 
protocols into practical ones is still worth considering. Furthermore, the 
ECC-based method is proved secure against individual attack only, the se- 
curity against more general attacks is still an open problem. 

Another problem in practice is the lack of single photon source. It can be 
seen that the weak coherent pulse source cannot guarantee the two necessary 
conditions at the same time: 1. Alice sends almost every qubit via emitting 
single photon; 2. Bob receives almost every qubit. It can be seen that the 
weak coherent pulse source is not suitable for our protocol. We need a single 
photon source to accomplish the practical protocol in some laboratories. 

10. Conclusion 

We suggest a definition of information-theoretical concealing for quan- 
tum bit commitment, then propose three kinds of QS-based bit commitment 
protocols and prove that they are information-theoretically concealing. The 
binding of them is considered under a new concept "physical security of pro- 
tocol" . 

We have also suggested other four QS-based protocols without proof of 
security. They will give some hints to help us get closer to the goal of 
unconditionally secure QBC protocol. 

Finally, we give a method to transform QS-based protocols into practical 
ones with ECC. 
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Appendix A. The attack to the binding condition 

From Eq.f ll4p we have 

n4 n U n) )>l"(sinar. (A.l) 

As shown in Sec J2.3[ this result means Alice can use a local unitary transfor- 
mation to perform a successful cheat. Here we show a method to solve out 
Ua of QS-based protocols. 

For a cheating Alice, the states she prepared were shown as Eqs.([T]) and 
03]) in Sec l2.3l Now Alice needs to get the state |z/) whose reduced density 
operator is the same as that of |6), and satisfies = F(p^\ p^). After 
that she must find out the local unitary transformation Ua to transform |0) 
into \v). 

In order to achieve these goals, Alice should do as follows: 

1. The Schmidt decomposition of |6) and |1). 

There exists an orthogonal basis set {|0), |l)}® n for subsystems A and 
B, thus |0) can be written as 

|0)=X)W>a® (A.2) 
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where i,j G {0, 1, . . . , 2™ — 1}, and 

= ^a k B (jWf)B 



if w(i),w(j) is even, here w(-) means Hamming weight; else 



e i3 = o. 



Let G be a matrix with entries 9ij. According to the singular value 
decomposition, we have = UDV, here D is a diagonal matrix with 
positive elements, and U and V are unitary matrices. Thus 



1 6) = y]ui k dkkVkj\i)A ® \j)b- 

i,j,k 



(A.3) 



Define \x k ) A = Y.i u ik\i) a, \Vk)B = Y,j v kj\j)B, and \ k = d kk , we can 
see that 



1 6) = ^ M x k)A ® \Vk)B- 



(A.4) 



It can be seen that {|xa;)a}, form two orthogonal basis sets. 

Similarly, Alice gets 



|i> = y ^x'kWk)A®Wk) B - 



(A.5) 



2. The polar decomposition of yPiyPo- 

Pq and pf are defined with Eq. (TI2"]) . the related polar decomposition 
is 



T. 



(A.6) 



There exists an orthogonal basis set with which p^ and pf are in block- 
diagonal form 20) and the blocks have a general expression, so that we 
can give the entries of matrix T based on this orthogonal basis. 
3. Solving Ua- 



Based on the proof of Uhlmann's theorem given by Jozsa [24], |25 
have 



we 



\u) = (/ ® ^Tt) £ K) A ® |^%. (A.7) 
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It can be seen that there exists a local unitary transformation of Alice, 

or Ua, transforming |0) into \v). 

Note that = J2i \M 2 \Vi) BEt{yi\, it gives 



' i 

Wi) A ® \ j \y j )BB{yj\T ] \y' i ) B 



hi 



= S> {^b^T^sW^ ® \y 3 ) B . (A.8) 

It can be seen that 

U A \x t )=J2B(y^\y^ B \x^ A . (A.9) 

i 

Then Alice can get all elements of Ua from this equation. 
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